Managing TLS Certificate, KeyStore, and TrustStore Files

Transcription

1 Managing TLS Certificate, KeyStore, and TrustStore Files This chapter contains the following sections: About the TLS Certificate, KeyStore, and TrustStore Files, page 1 Preparing to Generate the TLS Credentials, page 1 Creating a Public Certificate Using SSL Certification, page 6 About the TLS Certificate, KeyStore, and TrustStore Files Note When Cisco Nexus Data Broker is started in a normal way, the connection to the device is HTTP. When Cisco Nexus Data Broker is started using the TLS protocol, the connection to the device is in HTTPS. Note To configure High Availability clusters in TLS mode, you need to run Cisco Nexus Data Broker in TLS mode for each instance of Cisco Nexus Data Broker. Cisco Nexus Series switches connecting to Cisco Nexus Data Broker over OpenFlow require additional credentials, including Private Key, Certificate, and Certificate Authority (CA). The TLS TrustStore file contains the Certification Authority (CA) certificates used to sign the certificates on the connecting switches. Preparing to Generate the TLS Credentials OpenFlow switches require cryptographic configuration to enable TLS. The NX-API protocol plugin now supports TLS for secure communication to the devices. You can connect to the NX-API protocol plugin on the secure port 443. All configuration, discovery, and statistics collection is done using secure communication. Cisco Nexus Data Broker should be configured with the required 1

2 Preparing to Generate the TLS Credentials Managing TLS Certificate, KeyStore, and TrustStore Files certificates and it should be started in the secure mode. When Cisco Nexus Data Broker is started in TLS mode, all devices support the TLS connection. The normal unencrypted connection to the switches is not accepted. Caution Self-signed certificates are appropriate only for testing in small deployments. For additional security and more granular controls over individual certificate use and revocation, you should use certificates generated by your organization's Certificate Authority. In addition, you should never use the keys and certificates generated by this procedure in a production environment. Before You Begin Ensure that OpenSSL is installed on the Linux host where these steps will be performed. SUMMARY STEPS 1. Create a TLS directory using mkdir -p TLS command and then navigate to it using cd TLS command: 2. Set up the directories for your CA system to function within. Create three directories under mypersonalca using mkdir -p mypersonalca/<directory name> command. To initialize the serial file and the index.txt file, enter echo "01" > mypersonalca/serial command and touch mypersonalca/index.txt command respectively. 3. Create the CA configuration file (ca.cnf). Before saving the ca.cnf file, some changes need to be made that are specific to the devices. One critical change is to change the [alt_names] section in the ca.cnf file to be relevant to the device IP address, because these IP addresses should be specified in the configuration file. If you need more or fewer IP/DNS names, you can add or remove the lines. 4. Once the directory structure is created and the configuration file (ca.cnf) is saved on your disk, create the TLS certificate file. 5. Copy server.key and server.crt into respective devices and install by using the following commands: 6. Creating the TLS KeyStore File 7. Creating the TLS TrustStore File 8. Starting application with TLS DETAILED STEPS Step 1 Step 2 Create a TLS directory using mkdir -p TLS command and then navigate to it using cd TLS command: mkdir -p TLS cd TLS Set up the directories for your CA system to function within. Create three directories under mypersonalca using mkdir -p mypersonalca/<directory name> command. To initialize the serial file and the index.txt file, enter echo "01" > mypersonalca/serial command and touch mypersonalca/index.txt command respectively. mkdir -p mypersonalca/certs mkdir -p mypersonalca/private mkdir -p mypersonalca/crl echo "01" > mypersonalca/serial touch mypersonalca/index.txt 2

3 Managing TLS Certificate, KeyStore, and TrustStore Files Preparing to Generate the TLS Credentials The serial file and the index.txt file are used by the CA to maintain its database of the certificate files. Step 3 Create the CA configuration file (ca.cnf). Before saving the ca.cnf file, some changes need to be made that are specific to the devices. One critical change is to change the [alt_names] section in the ca.cnf file to be relevant to the device IP address, because these IP addresses should be specified in the configuration file. If you need more or fewer IP/DNS names, you can add or remove the lines. Note This step is applicable to NX-API only. The following is an example of the content of the ca.cnf file: [ ca ] default_ca = CA_default [ CA_default ] dir =. serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $certs/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = sha1 preserve = no _in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copy [ policy_match ] countryname stateorprovincename organizationname organizationalunitname commonname address = match = match = match = optional = supplied = optional [ req ] default_bits = 2048 # Size of keys default_keyfile = example.key # name of generated keys default_md = sha1 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string 3

4 Preparing to Generate the TLS Credentials Managing TLS Certificate, KeyStore, and TrustStore Files # organizationName = Organization Name (company) organizationalunitname = Organizational Unit Name (department, division) address = Address address_max = 40 localityname = Locality Name (city, district) stateorprovincename = State or Province Name (full name) countryname = Country Name (2 letter code) countryname_min = 2 countryname_max = 2 commonname = Common Name (hostname, IP, or your name) commonname_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value # commonname_default = 0.organizationName_default = Cisco localityname_default = San Jose stateorprovincename_default = CA countryname_default = US address_default = webmaster@cisco.com [ v3_ca ] basicconstraints subjectkeyidentifier authoritykeyidentifier = CA:TRUE = hash = keyid:always,issuer:always [ v3_req ] # Extensions to add to a certificate request basicconstraints = CA:FALSE keyusage = nonrepudiation, digitalsignature, keyencipherment # Some CAs do not yet support subjectaltname in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... subjectaltname [alt_names] IP.1 = IP.2 = IP.3 = IP.4 = [ server ] # Make a cert with nscerttype set to "server" basicconstraints=ca:false 4

5 Managing TLS Certificate, KeyStore, and TrustStore Files Preparing to Generate the TLS Credentials nscerttype = server nscomment = "OpenSSL Generated Server Certificate" subjectkeyidentifier=hash authoritykeyidentifier=keyid,issuer:always [ client ] # Make a cert with nscerttype set to "client" basicconstraints=ca:false nscerttype = client nscomment = "OpenSSL Generated Client Certificate" subjectkeyidentifier=hash authoritykeyidentifier=keyid,issuer:always Step 4 Step 5 Step 6 Step 7 Once the directory structure is created and the configuration file (ca.cnf) is saved on your disk, create the TLS certificate file. Generate the TLS private key and Certification Authority (CA) files by entering the openssl req -x509 -nodes -days newkey rsa:2048 -out mypersonalca/certs/ca.pem -outform PEM -keyout mypersonalca/private/ca.key command. This step generates the TLS private key in PEM format with a key length of 2048 bits and the CA file. Generate the certificates (server.key and server.crt) file by entering openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key -config Example.conf Copy server.key and server.crt into respective devices and install by using the following commands: configure terminal to enter the configure terminal mode. nxapi certificate httpskey keyfile bootflash:///server.key where bootflash:/// is a file location of server.key. nxapi certificate httpscrt certfile bootflash:///server.crt where bootflash:/// is a file location of server.crt. nxapi certificate enable Creating the TLS KeyStore File Note The TLS KeyStore file should be placed in the configuration directory of Cisco Nexus Data Broker. Copy server.key to xnc-privatekey.pem. This command copies the server.key file that was generated in step 5. For example, use the command cp server.key xnc-privatekey.pem. Copy server.crt to xnc-cert.pem. This command makes a copy of the server.crt file that was generated in step 5. For example, use the command cp server.crt xnc-cert.pem. Create the xnc.pem file, that contains the private key and certificate, by entering the cat xnc-privatekey.pem xnc-cert.pem > xnc.pem command. Convert the PEM file xnc.pem file to the file xnc.p12 file by entering the openssl pkcs12 -export -out xnc.p12 -in xnc.pem command. Enter a password at the prompt. This is the Export password. The password must contain at least 6 characters, for example, cisco123. You must use the same password for this step and for Step 7. The xnc.pem file is converted to a password-protected.p12 file. Convert the xnc.p12 to a Java KeyStore (tlskeystore) file by entering the keytool -importkeystore -srckeystore xnc.p12 -srcstoretype pkcs12 -destkeystore tlskeystore -deststoretype jks command. This command converts the xnc.p12 file to a password-protected tlskeystore file. Enter a password at the prompt. Use the same password that you entered in previous step. Creating the TLS TrustStore File The TLS TrustStore file should be placed in the application configuration directory. 5

6 Creating a Public Certificate Using SSL Certification Managing TLS Certificate, KeyStore, and TrustStore Files Copy the mypersonalca/certs/ca.pem file to sw-cacert.pem. Convert the sw-cacert.pem file to a Java TrustStore (tlstruststore) file by entering the keytool -import -alias swca1 -file sw-cacert.pem -keystore tlstruststore command. Enter a password at the prompt. The sw-cacert.pem file is converted into a password-protected Java TrustStore (tlstruststore) file. The password must be at least six characters long, for example, cisco123 Step 8 Starting application with TLS When Cisco Nexus Data Broker is running in TLS mode and if you restart Cisco Nexus Data Broker with the saved configuration, the./runxnc.sh -start command starts the application in TLS mode again. If you do not want to restart Cisco Nexus Data Broker in TLS mode, then delete the configuration/startup/tlsconf.conf file and start the application using the./runxnc.sh -start command again. You do not need to provide the TLS KeyStore and TrustStore passwords when Cisco Nexus Data Broker is restarted with the saved configuration. Creating a Public Certificate Using SSL Certification Complete the following steps to create a public certificate using the SSL certification: Step 1 Create a certificate service request using the command: openssl req -newkey rsa:2048 -sha256 -keyout cert.key -keyform PEM -out cert.req -outform PEM [root@rhel-vm-ndb-aci newcert]# openssl req -newkey rsa:2048 -sha256 -keyout cert.key -keyform PEM -out cert.req -outform PEM Generating a 2048 bit RSA private key writing new private key to 'cert.key' Enter PEM pass phrase: ciscoxnc Verifying - Enter PEM pass phrase: ciscoxnc You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:CA Locality Name (eg, city) [Newbury]:SJ Organization Name (eg, company) [My Company Ltd]:cisco Organizational Unit Name (eg, section) []:insbu Common Name (eg, your name or your server's hostname) []:RHEL-VM-NDB-ACI.cisco.com 6

7 Managing TLS Certificate, KeyStore, and TrustStore Files Creating a Public Certificate Using SSL Certification Address []:bosellap@cisco.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@rhel-vm-ndb-aci newcert]# ls cert.key cert.req [root@rhel-vm-ndb-aci newcert]# Step 2 Create the public certificates using Cisco internal certification Website, sslcerts.cisco.com. a) Enter the command: cat cert.req [root@rhel-vm-ndb-aci newcert]# cat cert.req -----BEGIN CERTIFICATE REQUEST----- MIIC1DCCAbwCAQAwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UE BxMCU0oxDjAMBgNVBAoTBWNpc2NvMQ4wDAYDVQQLEwVpbnNidTEiMCAGA1UEAxMZ UkhFTC1WTS1OREItQUNJLmNpc2NvLmNvbTEhMB8GCSqGSIb3DQEJARYSYm9zZWxs YXBAY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq2k+ c3p8fbgyxfvlbnjplbvok9oabk/gcvqwziwgm0w5gf29sljgtavhk1zgzuksycjt 5mV2Or9VfiffT3/2tps7IBy97NsIyj5Rc+KGBKMSpEXqyCylLdMy+LMAiYPt4Nn8 k7hi8gglvthh5snusqm/jnp7hbhotzjd3iuqoe8ugtgrb1skfcr7uymkpdfcvzsz df+gb15tag9vmktubpljzluzatzdkivxwcpkzbwsrd5d4jhvzk5ufthj/lscqwhs gn0872mcqtnmmqjc1sempildvqkbgsde+8s0jaivd/ws+w3lu7gosk91vbolxtdb ypjatq1d06b2qyi4bwidaqaboaawdqyjkozihvcnaqelbqadggebafyok/pxfolg 4ba1J0BP6pEa88z2um53xVitVegmBv4Chb/yd87/ucn7CW/x9GPdgHqVn8Y0K71G xkzi6s34cklasf4vsa7qtq/8rstlwa+hz/qptebwer0k32lwcbqgldzrhsuvf4/3 sysuqndype+zy0iqhhx8bk1/giibexbl+uuyvc8s6cr7rcd3nnel574da2pk+pu3 GJEn811iXr6py1YqRX52jqkNbCSfy+czrC/oiBWjZZ3wTIos6uAgQTiCWqDip/sJ 1kAsNWVA9koZ32HXdPXZ3mQXImla1l62FEFpyJfLJ7v5DEwDh7edkSoKphLGDIP7 /ICkW4Si5rA= -----END CERTIFICATE REQUEST----- [root@rhel-vm-ndb-aci newcert]# Step 3 Step 4 Step 5 b) Copy the certificate request from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- from the output. c) Use the CSR file to request a signed certificate from an external certificate authority. Copy the certificates to the Cisco Nexus Data Broker server. There are 3 certificate files: root, intermediate, and domain. Import the keys in to the keystore file. Use the command openssl pkcs12 -export -in <domain certificate> -inkey <gen key> > inter_keystore to import the key. The input files are domain certificate and cert.key and store it in inter_keystore file: openssl pkcs12../cert.key > inter_keystore -export -in RHEL-VM-NDB-ACI.cisco.com.cer -inkey Enter pass phrase for../cert.key: Enter Export Password: 7

8 Creating a Public Certificate Using SSL Certification Managing TLS Certificate, KeyStore, and TrustStore Files Verifying - Enter Export Password: ls inter_keystore RHEL-VM-NDB-ACI.cisco.com.cer RHEL-VM-NDB-ACI.cisco.com.zip test-root-ca-2048.cer test-ssl-ca.cer Step 6 Import all the certificates in to the inter_keystore file a) Import the root certificate file. keytool -import -trustcacerts -alias root -file test-root-ca-2048.cer -keystore inter_keystore Enter keystore password: Owner: CN=TEST Root CA 2048, O=Cisco Systems Issuer: CN=TEST Root CA 2048, O=Cisco Systems Serial number: 228afc0c5220cda94e298af8cdad4243 Valid from: Thu Feb 19 13:01:38 PST 2004 until: Fri Aug 11 13:29:31 PDT 2034 Certificate fingerprints: MD5: 90:73:67:6A:03:B4:38:85:CA:48:3E:AB:6C:25:74:77 SHA1: 91:AD:ED:70:CB:E0:1A:D5:9A:18:DC:EF:82:B2:1C:A9:60:7D:3C:2D SHA256: A0:1E:1E:A7:D1:47:59:63:B1:0F:E9:DF:71:A6:5A:2B:12:DC:C0:BF:F8:07:B4:FA:52:3E:95:3A:0D:8D:29:DC Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: Criticality=false 0000: #2: ObjectId: Criticality=false 0000: B3 88 0A C1 E3 2F 9E 28 DC 61 A0 D8.../.(.a : B F2 16 8B..E... #3: ObjectId: Criticality=true BasicConstraints:[ CA:true PathLen: ] #4: ObjectId: Criticality=false KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #5: ObjectId: Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: CA 1C 01 A4 F7 5F A6 C2 18 1C BD FB..._ : 1B FA BA 7A...z ] ] Trust this certificate? [no]: yes Certificate was added to keystore 8

9 Managing TLS Certificate, KeyStore, and TrustStore Files Creating a Public Certificate Using SSL Certification b) Import the intermediate certificate file. keytool -import -trustcacerts -alias intermediate -file test-ssl-ca.cer -keystore inter_keystore Enter keystore password: Certificate was added to keystore c) Import the domain certificate file. keytool -import -trustcacerts -alias cisco -file RHEL-VM-NDB-ACI.cisco.com.cer -keystore inter_keystore Enter keystore password: Certificate already exists in keystore under alias <1> Do you still want to add it? [no]: yes Certificate was added to keystore Step 7 Copy the inter_keystore file as keystore file under xnc/configuration. [root@rhel-vm-ndb-aci configuration]# cp../../cert/demo/inter_keystore keystore [root@rhel-vm-ndb-aci configuration]# ls cert.key context.xml keystore logback.xml org.eclipse.osgi tomcat-logging.properties web.xml xncjgroups.xml config.ini generatewebuicertificate.sh keystore_old org.eclipse.equinox.console.authentication.config startup tomcat-server.xml xncinfinispan.xml Step 8 Stop and start the controller. [root@rhel-vm-ndb-aci configuration]# cd.../runxnc.sh -stop Controller with PID: Stopped!./runxnc.sh -status Doesn't seem any Controller daemon is currently running./runxnc.sh -start Running controller in background with PID: 11172, to connect to it please SSH to this host on port

10 Creating a Public Certificate Using SSL Certification Managing TLS Certificate, KeyStore, and TrustStore Files NDB GUI can be accessed using below URL: [ -status Controller with PID: Running! Step 9 In the user interface, click Add Exception... in the message window to connect to the Website. Completing the procedure outlined above creates a public certificate using the SSL certification. 10